SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS Applying Due Care Via Common Sense Approach April 2017
100% 46% Ponemon 2014 SSH Security Vulnerability of 2000 Global do not Organizations Report (Ponemon 2014) Only 25% change or surveyed have Secure Shell rotate keys 2000 Global Organizations surveyed • controls in place All major Enterprises depend on SSH for • SSH Key critical functions Compromises Over half have experienced key-related • compromise 46% do not rotate or change keys • Only 25% have ssh security controls • Ponemon Institute Survey of 237 Companies Malicious Insider threat costliest • CY 2015 to 2016 saw 14% increase • Large companies are most vulnerable • (Ponemon, 2016)
2015 – “55% of cyber-attacks • were carried out by insiders” – (Rose, 2017) 49% IT Professionals more • Insiders concerned with insider threats than external threat (Bose, 2016) Careless Employees Unwitting, careless employees who provide opportunities to external threats Malware Employees who bend the rules to get their jobs done INSIDER THREAT – TRENDS
MORE NUMBERS – SPECIAL INTEREST ITEMS National Industry Security Program Operating Manual (NISPOM) Change 2 Federal Biz Ops Directs cleared contractors to establish and implement insider threat programs Search Criteria - all current Fed, State, and US Territories (DSS, 2016) • for key terms Designate an Insider Threat Program • Senior Officials (ITPSO) -- must be Out of 31,100+ opportunities • identified as Key Management Cisco: Appears 413 times Personnel (KMP) ITPSO must have eligibility equivalent or • Linux: Appears 190 times higher to the level of the Facility UNIX: 137 times (Security) Clearance (FCL) SIEM: 16 times Secure Shell: 4 times
ABOUT THIS PRESENTATION Presenter: Paul Collier Defense Contractor: 16 years Information Assurance: 10 years PKI, PKE, and Auditing Representing Self (With employer approval) Involvement with Secure Shell Auditing Web and Application Servers Prototyping on cloud instances Starting 2014 – dealing with anonymity Insider Secure Cloud Threat Shell Services
OVERVIEW What is secure shell? • What (or who) is an insider? • Key differences between SSL and SSH enablement • The “Startup” Scenario • ShapeShift Hack X3 • Recommendations • Wrap-up •
Secure Shell Protocol Secure remote login Advantage to an Insider? Replaces Telnet, rlogin, rcp Suite of Utilities Anonymity SSH SFTP SCP RSA Key Exchange SSH Public Key is kept on server side (authorized_keys file) SSH Private Key is on the client side – referred to as the ID key Similarities to SSL Client Server Hello Key exchange, MAC, and encryption WHAT IS SECURE SHELL
US Cert: Current or former employee, contractor, or other business Partner (US Cert, 2014) Behavior Prediction Theories To Consider (US Cert, 2014) General Deterrence Theory (GDT): Person commits crime if expected benefit outweighs • cost of action Social Bond Theory (SBT): Person commits crime if social bonds of attachment, • commitment, involvement and belief are weak Social Learning Theory (SLT): Person commits crime if associates with delinquent peers • Theory of Planned Behavior (TPB): Person’s intention (attitude, subjective norms and • perceived behavior control) towards crime key factor in predicting behavior Situational Crime Prevention (SCP): Crime occurs when both motive and opportunity exist • WHAT (OR WHO) IS AN INSIDER?
WHAT (OR WHO) IS AN INSIDER? CITIBANK – Plano, Texas (DOJ, 2016) Lennon Ray Brown • Poor Performance Review • Shuts down 90% Citibank Worldwide • Calling Card – Text Message • Architectural firm – Florida (Fox News, 2008) ”Marie” makes bad assumption • Deletes 7 years worth of data •
First use for critical purposes Initial SSH RSA-authenticated sessions require few prerequisites Installing live SSL (x509v3) keypairs require many prerequisites Differences in size X509v3 asserts ID. SSH Key is ID x509v3 Certificates compared to SSH Keys (BSD) Public Encryption Key SSH Keys are lightweight (Miller, 2011) • Your unique name • Issuer Another problem: Adding x509v3 Capability also adds more DOD • Public Encryption Key requirements (DOD UCR, 2013) • Validity Dates • Validation information SSH-only = 12 Requirements • Key Usage • Certificate Policies SSH Supports x509v3 = 7 additional requirements KEY DIFFERENCES BETWEEN SSL AND SSH ENABLEMENT
Organic Fertilizer company “Grow Smart” (fictitious) Marketing unique product Venture Capital LOE < 20 Leveraging Cloud Service Provider Initial scope Website – host product catalog CRM & ERP Email Services – Marketing, Transactional, Notifications, & Receiving THE “STARTUP” SCENARIO
SSH Key Generation Private Key Public and private key Public Key CSP Grow Smart THE “STARTUP” SCENARIO - LAUNCH
Default Settings To expedite, Bob: Decrypts private key • Uses same key for service accounts • No key-restrictions • THE “STARTUP” SCENARIO – BUILD
THE STARTUP SCENARIO – OPEN FOR BUSINESS HOME INTERACTIVE CATELOG GARDENING TIPS SIGN-IN REGISTER Grow Smart
Orders! Profits! Celebration! Bob’s a HIT! THE STARTUP SCENARIO – OPEN FOR BUSINESS
THE STARTUP SCENARIO – PAUSE FOR REVIEW Cloud Service Provider is a Business Partner (IdentityWeek, 2015) Cloud instances are time savers Backdoors and leftover credentials (Marinescu, 2013) • (Pre) Existing unsolicited connections (Marinescu, 2013) • Malware (Marinescu, 2013) •
Readily available cloud services lead to temptation to expedite (Williams, 2012) Logging and auditing left at default configuration • Bob’s Method – a Pessimistic approach: “ Build it quickly, get it out there, and Initial keypair was used throughout build and post launch validate the business before spending the time to engineer it for scaling” • (Mombrea, 2012) Decrypting private key is a common practice • • Recent stolen key incident runs-up $50K for an AWS customer (Quora, 2017) • Pre-launch Planning Using same public key for service accounts not a best practice • • “What-if” Analysis • Study the Instance – collect information from CSP • Actions to take after launch • Plan SSH-Key Provisioning ahead of time (NIST, 2015) THE STARTUP SCENARIO – PAUSE FOR REVIEW
After first launch Check for existing keys Change keys Clean, scrub, sanitize, and disinfect Save new instance Repeat above steps on new instance Test it - build a honey pot – leave it alone Make corrections as needed Bottom line – While cloud services do offer a time-saving benefit, use that time to benefit your security posture THE STARTUP SCENARIO – PAUSE FOR REVIEW
GOOD NEWS, Bob!. We are hiring more IT Professionals Bob becomes dissatisfied Left out of meetings Feels ostracized Makes a BAD Choice THE STARTUP SCENARIO - CONTINUED
Bob meets foreign actor named Rovion - Slack account - Social networking - Reverse social engineering Rovion makes offer to Bob Bob performs 1 st hack - Customer and order data - Engineering Information - Vendor logon accounts Customers begin complaining about ID theft Grow Smart learns they have been hacked THE STARTUP SCENARIO – THE HACK
Grow Smart Investigates Log files • Collect/Compare ssh key fingerprints from IT • Two public key fingerprints are suspect • Leadership presses Bob for answers • Bob resigns/leaves town (and sells login credentials to Rovion) • Ø Rovion moves in Installs rootkit • Installs malware on employee laptops • Performs 2 nd &3 rd hack within hours of “reopening” • Grow Smart hires forensic analyst • THE STARTUP SCENARIO - AFTERMATH
SHAPESHIFT HACK The Grow Smart scenario was compiled from 3 back-to-back hacks against ShapeShift that began in March 2016 Shapeshift is a Startup Crypto Currency Exchange Bob (an alias) was their “server guy” Bob appears to have grown disgruntled and met up with a Russian Hacker Bob performed the first hack and ripped off $130K
ShapeShift Response: Right Move, Wrong Time Matched ssh keys with their owners but only after the 1 st hack NISTIR 7966 recommends baselining authorized keys and key fingerprints (prior to deployment and periodically) Hastily-built cloud Infrastructure The “Pessimistic approach” to cloud-building comes from the 2 nd and 3 rd hack-scenario But it wasn’t Bob; this was CEO crisis response NIST IR 7966 recommends having backup and recovery plan already in place Ledger Labs performed forensics (Perklin, 2016) Default logging Deleted logs Inadequate employee and infrastructure security policy SHAPESHIFT HACK
Recommend
More recommend
